Security Server’s business log is stored in the message log database which contains all the messages processed by the Security Server. Each message is time-stamped and signed which makes it possible to verify the message content afterwards. By default, time-stamped messages are archived from the database to disk every six hours. Time-stamped and archived messages are kept in the message log database for 30 days until they are removed automatically.
More information about the message log can be found at: https://github.com/ria-ee/X-Road/blob/develop/doc/Manuals/ug-ss_x-road_6_security_server_user_guide.md#11-message-log |
The archived log records are not automatically transferred to an external host or log storage for long-term archiving purposes. It is the administrator’s responsibility to configure the transfer of the logs to a long-term storage.
Azure Blob Storage can be used as a long-term storage for the Security Server logs. Azure Blob storage is Microsoft's object storage solution for the cloud. Azure Blob Storage always encrypts data both in transit and at rest. For additional security, customer-managed or customer-provided encryption key can be used to encrypt data at rest.
More information about the Azure Blob Storage can be found at: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview |
To store and transfer the archived message log records in a Blob Storage container, follow the steps below.
N.B.! Replace <STORAGE_ACCOUNT>
and <CONTAINER> with the names of your storage account and container (line 11).
The below script is just an example and therefore, it is not recommended to use it for production purposes. |
#!/bin/bash # Log in by using the system-assigned identity of a VM LOGIN=$(azcopy login --identity) if [[ "$LOGIN" != *"Login with identity succeeded"* ]]; then echo $LOGIN exit 1 fi # Copy X-Road message log archives to the specified STORAGE_ACCOUNT and CONTAINER OUTPUT=$(azcopy copy "/var/lib/xroad/*.zip" 'https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>') # Get the ID of the operation ID=$(echo $OUTPUT | grep -Po '(\w+-\w+-\w+-\w+-\w+)' | head -1) # Get the list of files that were successfully copied FILES=$(azcopy jobs show $ID --with-status=Success) for fn in $FILES; do if [[ "$fn" =~ ^\/var\/lib\/xroad/mlog- ]]; then # Remove file from Security Server rm "$fn" fi done exit 0 |
[message-log] archive-transfer-command=/usr/share/xroad/scripts/archive-logs.sh |
These instructions can be used to transfer archived log records to Azure Blob Storage from Security Servers hosted on Azure. In case, the Security Server is hosted on another cloud or on-premise, another authorization method (other than system-assigned managed identity) must be used. More information about the alternatives. |
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|